Google made a subtle change to Chrome that could help it track you online

The latest update to Google's Chrome browser automatically signs users in if they use any other Google services.

Although users still have to consent to have their Chrome data synced across their account, privacy advocates see this as a breach of user trust.

Ultimately, this change more explicitly frames Google Chrome as another Google service, rather than as a neutral platform to surf the web.

The most recent update of Google's popular Chrome browser includes a policy change that makes privacy advocates uncomfortable: The browser automatically signs users in to Chrome if they use any other Google services.

That means if you're using Chrome to sign in to a Google service like Gmail, Chrome will begin tracking information such as the other sites you visit and which tabs you have open until you close the browser or sign out of either Chrome or Gmail.

If you give Google permission by clicking an option to "Sync," that information is sent back to Google.

Once it's there, Google can use it for several purposes. On the plus side, if you sign in to Chrome on a different computer, all your stuff — including extensions, bookmarks, browsing history and saved passwords — will show up, ready to use.

But on the minus side for people concerned about privacy, Google can add that data to the vast amount that it already has about you through other linked accounts, such as Maps and YouTube. Google uses that data to target ads.

Previously, it was possible to use the Google Chrome browser to sign in to a Google service, like Gmail, without actually logging into the browser itself. The browser would only store information locally; you never even had the option to send it back to Google (unless you signed in to Chrome by choice).

Ultimately, this change more explicitly frames Chrome as another Google service, rather than as a neutral platform to surf the web.

'What stops you from changing your mind?'

Although the Chrome browser update happened in mid-September, Google was scrambling to explain the policy change over the weekend after cryptographer and Johns Hopkins Information Security assistant professor Matthew Green highlighted the issue on his Twitter account and then in a blog post titled Why I'm Done with Chrome .

Green had personally been using Chrome without logging in for years. This was a good option for users like him who didn't want their Chrome browsing history sent to Google or linked to the Google account that they used for Gmail, for example. He argues this is a betrayal of trust.

"If you didn't respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn't even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?" Green wrote. "What stops you from changing your mind on that option in a few months, when we've all stopped paying attention?"

He also criticizes the user interface that Google uses to ask whether it can sync your data. Indeed, if you click the drop-down menu in Chrome, the phrasing doesn't make it clear whether you're sending your data back to Google or not.

The interface could cause people to "think they're already syncing and thus there's no additional cost to increasing Google's access to their data," he writes.

Here's how Google asks for consent to sync your data:

In response to Green's Twitter thread, Google Chrome product manager Adrienne Porter Felt said that Google made this change to stop users who share devices from thinking that they had signed out of Chrome when they actually had not.

Tweet

Google's argument is that by tying Chrome and other Google service accounts together, it will be harder for you to accidentally "leak" data, like passwords stored in Chrome, across accounts (like if somebody else uses your computer).

However, as Green writes, the change still completely eliminates an option that used to be available to users who never signed in to Chrome in the first place, but still wanted to use other Google services.

Google Chrome’s next release will address privacy concerns with cookies and sign-ins

Google today said that it will make changes in the Chrome browser to address privacy concerns regarding cookies and user sign-ins. These improvements will roll out in Chrome’s next update – version 70.

Earlier this week, a bunch of users found out that Google was automatically signing them into Chrome when they signed into any Google services. An engineer and manager on the Chrome team clarified later that this doesn’t mean the browser is uploading user data to Google servers.

In Chrome 70, you will be able to toggle an option called Allow Chrome sign-in, which will give you control over whether signing into any Google service also signs you into the browser automatically.

There’s more: on Monday, Christopher Tavan, CTO at ContentPass, found out that Chrome 69 keeps Google cookies even if you delete all cookies. People on the teams behind rival browsers Firefox and Brave expressed their disappointment over this on Twitter, citing privacy concerns.

Google said that it is correcting the behavior in the next Chrome update, so all the cookies will be deleted when you clear your browsing data. The company said that Chrome 70 will release mid-October.

It is nice to see the company reacting to users’ privacy-related concerns quickly, but as these issues have shown, we’ll want to be vigilant and keep an eye out for other issues that may surface in future versions of Google’s browser.

Eleven days ago, we excoriated Microsoft for its now-scuttled plan to add “warnings” to Windows 10 that would nudge users away from using Chrome and Firefox and towards Microsoft’s own browser, Edge. After ferocious outcry, Redmond backed away from this plan, rightly perceiving the issue as a bridge too far when it comes to spreading FUD about its competitors in an attempt to boost its browser’s market share. But Google’s most recent behavior with Chrome 69 isn’t doing it any favors, either, and the company has adopted some new approaches that blur the difference between what it means to be logged into Chrome or not, overriding previous user settings in the process. The company’s explanation for these behaviors, furthermore, does not hold water.

Let’s start at the beginning. Prior to Chrome 69, Chrome offered an optional sign-in feature. This feature had nothing to do with your various accounts on services like Gmail or YouTube — instead, it allowed Google to synchronize things like cookies and bookmarks across all of the devices on which you used Chrome services. Many people embraced the feature, but Google kept it opt-in. The old login icon looked like a blank outline of a person. When clicked, it displayed the following message:

But now, Google has changed this message. Download and install Chrome 69, and the browser now treats this sign-in option as exercised if you log into any Google account. In other words, Google now treats the Chrome sign-in and the Google account sign-in as equivalent.

There was no reason to make this change. The stated rationale for this change, as expressed by Google engineer and manager Adrian Porter Felt is as follows (thread linked below, but we’ll summarize:)

Google Chrome’s next release will address privacy concerns with cookies and sign-ins

Google today said that it will make changes in the Chrome browser to address privacy concerns regarding cookies and user sign-ins. These improvements will roll out in Chrome’s next update – version 70.

Earlier this week, a bunch of users found out that Google was automatically signing them into Chrome when they signed into any Google services. An engineer and manager on the Chrome team clarified later that this doesn’t mean the browser is uploading user data to Google servers.

In Chrome 70, you will be able to toggle an option called Allow Chrome sign-in, which will give you control over whether signing into any Google service also signs you into the browser automatically.

There’s more: on Monday, Christopher Tavan, CTO at ContentPass, found out that Chrome 69 keeps Google cookies even if you delete all cookies. People on the teams behind rival browsers Firefox and Brave expressed their disappointment over this on Twitter, citing privacy concerns.

Google said that it is correcting the behavior in the next Chrome update, so all the cookies will be deleted when you clear your browsing data. The company said that Chrome 70 will release mid-October.

It is nice to see the company reacting to users’ privacy-related concerns quickly, but as these issues have shown, we’ll want to be vigilant and keep an eye out for other issues that may surface in future versions of Google’s browser.